Cannot browse the Web

Unanswered Question
Aug 6th, 2007
User Badges:

Hi Guys,

I have an ASA5520 with a /24 public network on the internal interface and /28 public network on the outside interface.

You guys kindly helped me with a routing problem last week - I am almost there but now have this problem:

My test PC on the inside network (customer) cannot browse the internet via http. I can ping and resolve via DNS.

I have opened up the ASA completely so that any traffic of any type is allowed both ways - but still I cannot browse!

Any ideas?

Here is the running-conf:

: Saved


ASA Version 7.0(6)


hostname cr01-sh


enable password xxx


name 213.x.x.2 Aurix01-s01

name 90.x.x.56 Niall_Home

name 213.x.x.3 Test01 description Delete This Once working



interface GigabitEthernet0/0

nameif WAN

security-level 0

ip address 217.x.x.34


interface GigabitEthernet0/1

nameif Customer

security-level 10

ip address 213.x.x.254


interface GigabitEthernet0/2


no nameif

no security-level

no ip address


interface GigabitEthernet0/3


no nameif

no security-level

no ip address


interface Management0/0

nameif management

security-level 100

ip address



passwd xxx

ftp mode passive

access-list WAN_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu WAN 1500

mtu Customer 1500

mtu management 1500

no failover

monitor-interface WAN

monitor-interface Customer

monitor-interface management

icmp permit any WAN

asdm image disk0:/asdm506.bin

no asdm history enable

arp timeout 14400

static (Customer,WAN) Test01 Test01 netmask

access-group WAN_access_in in interface WAN

route WAN 217.x.x.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http WAN

http management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address management

dhcpd lease 3600

dhcpd ping_timeout 50


: end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
1cmerchant Mon, 08/06/2007 - 10:05
User Badges:

I believe you'll need to add these statements in order to browse (or make any connection for that matter) from the Inside to the Outside network.

global (Outside) 1 interface

nat (Inside) 1 a.b.c.d n.n.n.n

Where a.b.c.d n.n.n.n is the network and subnet of the Inside network that you want to allow to make connections out via the Outside interface.

NiallDavis Mon, 08/06/2007 - 12:35
User Badges:

Hi, Thanks for your reply.

I can connect via other ports ie dns, ping, smtp etc - but web pages will not load.

Also, I can see the TCP 80 connection building in the syslog and then teardown almost imediately.

Also, as I am connecting from another public network behind the firewall I don't want to use nat as, ultimately, the network will be used for hosting servers.

The problem just seems to be http!

Thanks again for your response.


acomiskey Mon, 08/06/2007 - 12:42
User Badges:
  • Green, 3000 points or more

Your other issue was solved by the isp right? Did you still have to add this to get it to work?

static (Customer,WAN) Test01 Test01 netmask

or does it(everything but http) also work without that?

NiallDavis Mon, 08/06/2007 - 12:46
User Badges:

Hi Acomiskey,

Yup - turns out it was the ISP at fault. Yes I didn't need the added line to get access - although everything bar web is working!




This Discussion